User with no roles can create Incident from REST call - Support and Troubleshooting

User with no roles can create Incident from REST call Issue When a user has no roles and is not able to create an Incident from the UI, an Incident can still be created from that user when utilizing a REST API call with a POST method towards the Incident table.

For example)

If an internal user account has only a read role on the Incident table, they will not be able to create an Incident thru the UI since they only have a role with read permissions on the Incident table. If that same user account was used to make a REST call with a POST method to create an Incident, the Incident can still be created.

Release All Releases

Cause This is expected behavior due to the fact that the OOB 'Incident' ACL with the 'create' operation (sys_id 80a7a096c0a8016662c872762163bbdc), will only honor roles if the Explicit Roles plugin is installed. When the Explicit Roles plugin is installed, the 'snc_internal' role is now NEEDED in order to create Incidents via the UI or a REST call.

Note) This behavior is also recognized by the OOB Inbound email action 'Create Incident' (sys_id 3ccfeff5c611227a0180144333c87af9). When an email address doesn't resolve to a user on the sys_user table, the 'guest' user will be impersonated and used thus allowing an Incident to be created by a user with no roles.

Resolution To resolve the issue, you will need to install and activate the Explicit Roles plugin. Once the plugin has been installed, the OOB 'Incident' ACL that has the 'create' operation (sys_id 80a7a096c0a8016662c872762163bbdc), will now require users to have the 'snc_internal' role to have the ability to create an Incident whether thru the UI or a REST call.

Explicit Role Documentation:

https://docs.servicenow.com/en-US/bundle/utah-platform-security/page/administer/contextual-security/concept/explicit-roles.html